Microsoft used this month’s Patch Tuesday cycle to patch a six-month-old vulnerability affecting all Windows systems and exposing users to attacks when visiting malicious websites.

Security company Trend Micro reveals that the zero-day information disclosure vulnerability documented with CVE-2017-0022 was first reported to the software giant in September last year and was already included in at least two exploit kits.

Specifically, this security flaw existing in all Windows versions currently supported by Microsoft (there’s a good chance Windows XP is also impacted, but no security patches are released for this OS version anymore) allows attackers to see the installed applications on a victim’s computers.

This way, cybercriminals can look for security software that can block their malware, but also for other vulnerable applications that could allow them to break into the system and deploy other malicious files.

In order to exploit the flaw, unpatched Windows systems need to visit a compromised website, so most attackers rely on phishing campaigns to lure victims to these pages.
"Look for MS17-022 to stay secure"

It looks like the vulnerability was already included in at least two exploit kits, and Trend Micro says that both AdGholas and Neutrino were spotted using it in mid-2016.

“If CVE-2017-0022 is integrated into an exploit kit such as Neutrino, it analyzes the system for signs of security software and checks if the browser is using any sandbox solutions. In addition, it inspects the system for the presence of any packet capture software,” Trend Micro explains.

Microsoft fixed the vulnerability with MS17-022, a security bulletin labeled as important and bringing updates for Microsoft XML Core Services.

“This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a user visits a malicious website. However, in all cases an attacker would have no way to force a user to click a specially crafted link. An attacker would have to convince a user to click the link, typically by way of an enticement in an email or Instant Messenger message,” Microsoft says.

Needless to say, Windows users are recommended to deploy these patches as soon as possible, while on systems where installing the update is not yet possible, it’s recommended to avoid opening URLs coming from untrusted sources.